Two years ago, Executive Order 14028 ("Improving the Nation's Cybersecurity") highlighted the importance of updating the Nation's cyber hygiene.
In September 2022, the Office of Management and Budget (OMB) made it actionable by rolling out memo M-22–18 ("Enhancing the Security of the Software Supply Chain through Secure Software Development Practices").
M-22–18 outlines part of the EO14028 implementation plan for Federal agencies.
The memo, in turn, focuses on two artifacts to establish the security and maturity of a software producer's development practices.
- A self-attestation form declaring the producer's development practices
- Software Bill of Materials (SBOM) per product version declaring the composition of the software
While the specification and requirements for SBOM have been well established with NTIA's Minimum Elements for a Software Bill of Materials, the requirements for the self-attestation have been a work in progress (and it will be interesting to see how the deadlines — July for critical software and September for all other software — can be managed).
On April 27, CISA rolled out the specifics of the self-attestation form for public comments. The form leans heavily on Practices and Tasks specified in the NIST SP 800–218 ("Secure Software Development Framework") revised to version 1.1 for the Executive Order.
While the requirements can still change after the end of the public comments period (June 26, 2023), Interlynk has mapped out self-attestation requirements in an easy-to-follow format to help organizations get a head start.
Who is impacted?
M-22–18 is a memo to the Federal agencies; therefore, the requirements only apply to software being sold to or used by them.
All of the following types of software change require producers to submit the self-attestation form with the relevant agencies:
- Software developed after September 14, 2022
- Software going through a major revision after September 14, 2022
- Continuously delivered software (e.g., software-as-a-service)
Two carved-out exceptions are:
- Software self-developed by the Federal agencies
- Freely available (e.g., open-source) software
Attestation Format
The attestation form can be filled out online (link to be determined per agency) or via a local PDF download and email (email to be determined per agency).
An attestation can apply to a single product version, multiple versions of the product, an entire product line, or the entire company.
Attestation Requirements
The self-attestation document references multiple sections of the Secure Software Development Framework (SSDF) and Executive Order 14028. Specifically, the self-attestation requires the declaration of the following:
- Security of the software development environment
- Trust in the software source code supply chain
- Automated tools and processes for trusting software supply chain
- Management of provenance data for internal and third-party code
- Policy, program, and automated processes for the management of the vulnerability in the software
Interlynk has mapped the requirements with the SSDF-referenced notional examples here. This can serve as the reference guide for implementing the required controls.
Public Comments for Self-Attestation
The document is open for public comments until June 26, and this is an excellent opportunity to share any concerns or clarification with the CISA before it becomes part of the requirements. To make a comment publicly (or anonymously), head over to: https://www.regulations.gov/document/CISA-2023-0001-0001 and click on "Comment." (Direct link: https://www.regulations.gov/commenton/CISA-2023-0001-0001)
Getting Ready
Interlynk's mission encompasses easy, obvious, and automated software disclosures, security controls, and requirements outlined in the EO14028 and M-22–18 are incremental steps toward a more transparent and resilient software ecosystem. We are here to help any organization that needs support with clarity, guidance, or implementation of these controls.
Reach out to us at hello@interlynk.io for a chat.
